QIXUN ZHAO MAKES CHAOS PROOF-OF-CONCEPT PUBLIC
In November 2018, Qixun Zhao aka S0rryMybad demonstrated a remote jailbreak on A12 devices at the TianfuCup PWN Contest.
Termed “Chaos”, this kernel vulnerability discovered by Zhao can be triggered directly in the sandbox.
Since this vulnerability allows RCE (Remote Code Execution), we can trigger it from the mobile Safari web browser, thus jailbreaking the device remotely.
SorryMybad@S0rryMybad
IPC Voucher UaF Remote Jailbreak Stage 2 http://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202.html … (Chinese, English may be later) and demo : http://v.youku.com/v_show/id_XNDAyNjM1Mjk0OA==.html …
429
3:36 PM - Jan 23, 2019
Twitter Ads info and privacy
rjb demo
rjb demo
v.youku.com
205 people are talking about this
S0rryMybad also posted a video of the remote jailbreak he developed on the Chinese website Youku. We have reposted the video from his Youku account on Twitter.
The video showcases a remote jailbreak running on two iPhone XS devices. The hacker then opens the jailbreak website (192.168.1.52) that injects the exploit and then resprings the device in the jailbreak mode.
Yalu Jailbreak@Yalujb
iOS 12.1.1 remote jailbreak demonstrated on iPhone XS, PoC of Chaos kernel vulnerability to be released soon (dev - @S0rryMybad). #RETWEET for visibility
337
8:24 PM - Jan 23, 2019
125 people are talking about this
Twitter Ads info and privacy
After successfully jailbreaking the iPhones, S0rryMybad proceeds to launch Mobile Terminal, which confirms that the hacker has gained root access on iOS 12.1.1 firmware.
HOW THE CHAOS KERNEL VULNERABILITY WORKS
The iOS kernel contains a component called MIG, generated automatically by the .defs file.
Generally, MIG performs inter-core object conversion and object reference count management, and then calls kernel methods.
If the firmware developer is not familiar with MIG management, improper management of the reference counts of kernel objects can leak the reference counts, allowing hackers to circumvent the defenses.Sponsor ads:
Gihosoft Free iPhone Data Recovery:iphonerecovery.com
Free iPhone Data Recovery Software for Windows/Mac
Recover up to 12+ types of files, including contacts, SMS, photos, WhatsApp, Viber, notes, etc.
Restore lost data from iOS devices directly or from iTunes and iCloud backup
Recover iPhone data lost due to iOS upgrade/jailbreak, accidental deletion, device lost or broken
Support all the latest iPhone, iPad and iPod Touch
Both Free and Pro version.
If you lost data after you updated to a new iPhone, you can always use Gihosoft iPhone Data Recovery to get the data back from the old iPhone or backup.
Top 10 Best FRP Bypass Tools to Bypass Google Account on Android Device 2019
Worth reading:download youtube 1080p
Jihosoft Android Data Recovery: the best Android Data Recovery software for Windows and Mac to recover deleted contacts, messages, photos, videos, WhatsApp and etc from Android
If you use android phones, please choose Gihosoft Android Data Recovery.
Although the proof-of-concept for Chaos vulnerability is now public, Qixun has made it very clear that he doesn’t intend to make the exploit source code public.
If developers are keen on developing an iOS 12 jailbreak, they will have to put the pieces of the puzzle together and complete the exploit on their own.
This also includes the post-exploitation code that developers use in the later stages of jailbreak development.
WHAT NEXT FOR THE JAILBREAK COMMUNITY?
According to Tihmstar, we can use the Chaos proof-of-concept to develop an exploit for iOS 12.1.1 and below versions.
This can be achieved by copy-pasting the PoC in v0rtex exploit for iOS 10.3.3, replacing some of the code from jelbrektime, and then adding the correct offsets.
Since Apple is still signing iOS 12.1.1 firmware, I highly recommend jumping on it before the signing window shuts – if and only if you are on a higher version.
Now that iOS 12.1.3 final update is out, fire up iTunes and download the iOS 12.1.1 (final) IPSW firmware file.
No comments:
Post a Comment